FORWARD future threats panel at EC2ND 2008

The European Conference on Computer Network Defense (EC2ND) is an annual conference bringing together academia and industry to discuss topics in network and systems security. This year it was held at Dublin City University in Dublin, Ireland. The programme included a panel organised by FORWARD, where possible future threats on global ICT infrastructure were discussed. The panel constituted of members from all FORWARD working groups (WGs), and was headed by Sotiris Ioannidis.

The discussion started with a talk on smart systems, which mainly focused on the threats introduced by the advent of smart devices. Smart-phones and other such mobile smart-devices are slowly replacing the older mobile phones greatly increasing the offered functionality. A smart-phone can be used for accessing email, online banking, e-commerce, etc same as with a PC. Furthermore, new location based services (via GPS) are offered, and plans are made to turn these devices to e-wallets. Also, since a phone is considered highly personal, users tend to store personal items such as photos, PIN and credit card numbers. All the above turn these devices to very attractive targets for attackers, while at the same time users are not even aware of the existence of threats against their new device. Applying already developed security solutions to mobile devices is not always possible, because of their inherent limitations such as limited battery life, and hardware resources. As such additional research is needed to address security in such devices.

Critical systems were discussed second in the panel. Such systems include telecommunications infrastructure, transportation, energy production and distribution, etc. These systems have been using computers for a long time, but in the future there are many plans to allow their management over the Internet. Extending their connectivity can leave them open to a multitude of attacks, if security is not considered early in the design and implementation. Unfortunately, in this case as well, people involved with critical systems are not always aware of the new threats and challenges they will be facing.

A very interesting example from the car industry was brought up. Cars today already include 40-50 computers connected via LAN. Security has not been an issue till today, but with plans to interconnect cars with each other, or even with the Internet it is made obvious that security will be a prime concern. Failure to introduce security mechanisms could prove catastrophic, not in this example alone but on all critical systems.

The final subject of the panel was malware and fraud. The discussion centred on the new incentives and modus operandi of malware writers today. Malware is no longer written “for fun”, but for profit. One can easily be made aware of this by considering the very successful worms of the past such as CodeRed, Blaster, and Sasser. Even though millions of systems were infected, the damages inflicted were relatively small. Today on the other hand, malware writers are driven by profit, and form groups that resemble traditional crime organisations. Botnets such as the renowned Storm botnet are used to circulate spam e-mail, which is either directly providing income to the botnet “owners”, or is used to perform fraud. Botnets have even been observed being rented out in the cyber underground through IRC channels and web pages. To better understand this new generation of criminals, traditional investigation is needed to provide warning of new attacks and frauds, while at the same time more research is needed on disrupting malware operation and propagation.

The conclusions extracted from the panel discussion can be summarised into that: a) additional security research is needed to address future threats on new technologies, and b) well established industries need to be made aware of the new threats they will be exposed to, because of the interconnection of previously unconnected components.